Takeaways from ESRM: Not All AppSec Programs Are Created Equal

The recent ESRM event in London was the place to be last week to hear about all things application security. Throughout the day, it was clear there are many approaches to securing software within an organisation. My own presentation was focused on the software built within organisations and the obvious truth that not everybody knows what they need to about their own applications.

Using Software Intelligence to conduct a contextual analysis of software can help reduce false positives that are frequently flagged by traditional code checking tools, which are table stakes at this point. Contextual software analysis dives deeper than “code smells” to identify more complex and sophisticated flaws that can have a big impact on business operations.
These include:

Malicious code gaining forbidden access to data

Lack of input validation

Back door entry points

Most solutions that identify these vulnerabilities can be further customised to prioritise security violations important to your specific organisation. It’s important to consider the OWASP Top 10 and CWE Top 25 most dangerous software errors in these cases. The Consortium for IT Software Quality has the combined CISQ Top 22 most critical weaknesses (from CWE and OWASP) that can be found through contextual software analysis.

These lists of known security vulnerabilities are invaluable to development teams as they build robust and secure enterprise applications. But security weaknesses go beyond apps developed in-house. In fact, CAST recently published the Software Intelligence Report on Open Source Software to examine how Software Intelligence can be used to find security vulnerabilities in frequently used OSS projects.

Understanding your organisation’s software fully, may never be achievable, but understanding it as much as you can will enable you to build and secure better software. CAST’s unique blueprinting capabilities can help dev teams gather unprecedented visibility into the design and functionality of mission-critical software. And as we like to say, a picture is worth a thousand words!

To download a complementary version of the Software Intelligence Report on OSS, please click here.

Richard is a proven technologist with more than 20 years of experience in the field. He specializes in the optimization of software development lifecycles using waterfall and agile (Scrum and Kanban). He has managed global development teams of more than 100 individuals and is experienced with offshore, near shore and insourcing.